Just a note... it's Tipping Point (not Tripping Point.) I'm not a member, yet, but have considered it, and I'm also looking at their IPS solutions (They're discussing partnering with me, for some of my clients, so I'm very interested in everything they're doing, right now...)

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

To determine the worth of a vulnerability, researchers should sign up for an account and submit it for a valuation. If an offer is not made or an offer is made but not accepted by the researcher, the vulnerability information will remain the property of the researcher and will not be used in the Zero Day Initiative (ZDI) program.

That's an interesting paragraph there. "If we don't agree on payment terms, you are free to release to your 0day back into the wild."

I'm not certain I'd like that piece, myself (if I were looking at it from the standpoint of someone who regularly tries to make money on these things,) as once you've submitted it, what's to stop Tipping Point (or whomever) from doing their own research on it, releasing it themselves, or coding things into their products as an 'advance knowledge' release, to give them heads up over other protection vendors.

Note, from Tipping Point's perspective, I COMPLETELY understand it, and as a security professional, in general, I don't have a problem with it, per se. I'm not personally in any position where I want or need to monetarily gain from finding holes in outside code. That doesn't mean that I wouldn't accept compensation if I find a new hole during a pentest - just that I wouldn't go looking through code for the sake of doing it, to make a profit, as other companies or individuals do. But that's just me, and if it's what you're best at, more power to you, because you are using your talents to make the world a better place, in your own way.

Note - There's a fine line, in this world, between those who profit from others' mistakes, and those who profit for the greater benefit of others... (While this falls into both categories, it becomes, to me, 'Which perspective or side are you acting from, when you submit the 0day?') This is one of those very gray areas (not black and white) in the security world. If you're doing it for good reasons, and making money while you're at it, that's great! If you view it as trying to draw attention to xyz company's code, and really make them look bad (while still making money,) then to me, you're not being ethical. Ethical, in my world, isn't intentionally making another vendor or developer look bad, but rather, working to help them, and their customers, to be more secure and trustworthy. So programs like this one, when utilized properly, in an effort to benefit all, are, IMHO, good ones.

I only know that, for me in general, I have better use of my own time, NOT digging through code all day looking for issues, when I can be more valuable in educating customers, coworkers, the community at large, and others in all aspects of security, not JUST code.

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

You could have script kiddies that hang out in the "hacker" circles and get their hands on some 0day stuff that floats around. They would then turn around and try to sell that 0day stuff to Tipping Point, without knowing much about it. How does Tipping Point screen this?

Does Tipping Point have a responsibility to report the 0day stuff they don't purchase? They can't simply wash their hands of it and pretend that it didn't exist. Where do they draw the line?

Like I said, to me, it's a very gray line, and I should've clarified, not just for the seller, but the buyer, as well. I've never been a fan of 0day, so to speak, at least not in the way it's ever been handled. And I don't know that there's ever going to be an easy way to 'regulate' it. I think exchanging any money for them is just asking for trouble, unless the sole buyer was to be the vendor who wrote the code, and was willing to buy, for themselves, to remediate. Otherwise, ultimately, there's too much room for error.

However, there's also the devil's advocate position / opinion, that these 0day's may never come to light at all, until it's too late, if nobody is willing to buy in effort to remediate. So it's a catch-22, regardless...

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

Yep, I agree there. These discussions seem to come up once in a while. We had a similar discussion when the anti-sec movement was pwning people. I doubt that there is a good way of handling these situations, since they are morally ambiguous in nature.

there's no insurance for either the buyer or seller in this matter. its like a drugsdeal (which go bad almost all the time, if we believe hollywood). both have something they want, but is it legit? how does either of the both party's know there not getting crossed? like hayabusa said, its like making a deal with the devil, hoping he's a saint. i'd like to see this initiative to work, but there has to be extream caution in getting this bulletproof.

CISSP, CEH, ECSA, OSCP, OSWP, eCPPT, eWAPT

earning my stripes appears to be a road i must travel alone...with a little help of EH.net

Under the terms of the ZDI initiative, I think that when Tipping Point doesn't reach an agreement on a zero day, the can (and must) wash their hands of it and pretend it doesn't exist.

As for the screening of submissions made by script kiddies who steal the code from legitimate hackers, I don't think Tipping Point has a dog in this fight. Don't give your zero day code to anyone you are worried might disclose it. Disclosing someone else's zero day code might be unethical, but at the same time still serve the greater good. At the end of the day, Tipping Point only needs to protect its clients in the most efficient manner possible. If that involves purchasing code from less than golden individuals, so be it.

On a personal note, although I don't use Tipping Point, I've had the demo. If management would sign off on it, I'd have bought this product last year, completely independent of the ZDI due to the extensive protocol grammar engines. The ZDI just makes the case for the product that much stronger.

I am not sure how I would feel about myself, when I would have to wash my hands off and forget the 0day I couldn't purchase, if I was Tipping Point. I realize that this program has the potential to increase security and get some 0days out of the wild, but still. It's a tough choice to make, when do I say I can just can't pay you that much and you I give you back your 0day.

Ketchup wrote:I am not sure how I would feel about myself, when I would have to wash my hands off and forget the 0day I couldn't purchase, if I was Tipping Point. I realize that this program has the potential to increase security and get some 0days out of the wild, but still. It's a tough choice to make, when do I say I can just can't pay you that much and you I give you back your 0day.

in theory this goes completely against the purpose (mission and vision) of the company, making the whole idea ridiculous.

CISSP, CEH, ECSA, OSCP, OSWP, eCPPT, eWAPT

earning my stripes appears to be a road i must travel alone...with a little help of EH.net